Multi Factor Authentication

Page 1 of 1 (12 items)
This post has 11 Replies | 1 Follower

Posts 1751
Nathan Parker | Forum Activity | Posted: Sun, Jun 21 2015 12:21 PM

With more of our data stored in Fatihlife/Logos now, as well as our Faithlife/Logos account being linked to our credit cards, has there been any discussion about adding in an option for multi factor authentication?

Nathan Parker

Visit my blog at http://focusingonthemarkministries.com

Posts 3762
Francis | Forum Activity | Replied: Sun, Jun 21 2015 1:10 PM

The credit card information is only stored on their website, not our devices. In light of that, what possible use would someone have for saying going on my tablet and doing unauthorized purchases on my account? The system is only set up so as to apply purchases to the user. I don't see how it could exploited malevolently. But since you brought this up, are you concerned about anything specific? And as far as MFA goes, do you have something specific in mind?

Posts 9215
Forum MVP
Bruce Dunning | Forum Activity | Replied: Sun, Jun 21 2015 2:47 PM

Francis:
The credit card information is only stored on their website, not our devices.

My guess is that is what Nathan is talking about - when we access our credit card information on the Faithlife website.

Using adventure and community to challenge young people to continually say "yes" to God

Posts 1751
Nathan Parker | Forum Activity | Replied: Sun, Jun 21 2015 4:19 PM

There's a couple reasons I bring up the suggestion of MFA:

1. Years ago, there actually was a data breach of Logos user accounts, and if I recall, some unauthorized purchased where made on customer's accounts. I was mailing in checks way back when, so I wasn't affected by it. I know Logos promptly resolved the issue and ensured everything was made right, but I remember when it happened. Some users were uneasy about it.

2. As Logos moves more to a cloud model with storing documents in the cloud, personal information related to ministry work will probably be stored on Faithlife/Logos' servers (notes on counseling sessions, etc.). While it would be recommended that pastors and ministry leaders that are concerned about storing sensitive information in the cloud find alternate methods to store their information, nonetheless, some may choose to store their sensitive documentation on Faithlife/Logos' servers for the convenience of syncing between devices and the tight integration with one's library.

While using a strong, randomly generated password is definitely a deterrent for having one's Faithlife/Logos account compromised, for those that are a little extra security conscious, MFA would be another good line of defense to protect one's account. As Faithlife/Logos does more with the cloud and document syncing/sharing, plus the fact that it is also the gateway to purchasing resources for one's library, the extra line of protection might be worth looking into. It can of course be optional, but yet a good option to have.

Nathan Parker

Visit my blog at http://focusingonthemarkministries.com

Posts 2829
Don Awalt | Forum Activity | Replied: Sun, Jun 21 2015 4:48 PM

I would think Faithlife would move to it just to avoid a future PR issue - many many companies support it now. In today's world, a breach could not just affect credit cards, but steal addresses, email addresses, phone numbers, and bring email pfishing attacks, rogue impersonation phone call scams, and more into play for its customers. If there was a breach it would be a major embarrassment and public relations disaster to a company centering their strategy on the cloud - a mea culpa from the CEO would probably not be enough for public perception, people would wonder why wasn't this implemented, what were they thinking. 

Many companies make it an option for customers to choose MFA, so it's then their issue if something happens. I too wonder why FL hasn't implemented this.

Posts 2543
Lee | Forum Activity | Replied: Sun, Jun 21 2015 5:08 PM

Personally I would opt out of any MFA scheme. I still prefer the good old password, which is adequate provided that F.L. security is up to industry standards.

Putative data leaks on F.L.'s end can only possibly be mitigated by MFA.

Posts 8195
LogosEmployee

Francis:
The credit card information is only stored on their website, not our devices.

It's not even stored on our website: when you enter a credit card number into logos.com, it's immediately transmitted to a secure, third-party payment management company, then immediately deleted from our systems. (So even if logos.com was hacked, your payment information would never be exposed.)

Posts 1751
Nathan Parker | Forum Activity | Replied: Sun, Jun 21 2015 5:26 PM

Bradley Grainger (Faithlife):

Francis:
The credit card information is only stored on their website, not our devices.

It's not even stored on our website: when you enter a credit card number into logos.com, it's immediately transmitted to a secure, third-party payment management company, then immediately deleted from our systems. (So even if logos.com was hacked, your payment information would never be exposed.)

That's great to know. Thanks for the info!

Nathan Parker

Visit my blog at http://focusingonthemarkministries.com

Posts 2829
Don Awalt | Forum Activity | Replied: Sun, Jun 21 2015 5:32 PM

Bradley Grainger (Faithlife):

Francis:
The credit card information is only stored on their website, not our devices.

It's not even stored on our website: when you enter a credit card number into logos.com, it's immediately transmitted to a secure, third-party payment management company, then immediately deleted from our systems. (So even if logos.com was hacked, your payment information would never be exposed.)

Great to know, thanks Bradley! What about personal information like addresses, phone numbers, email?

Posts 9215
Forum MVP
Bruce Dunning | Forum Activity | Replied: Sun, Jun 21 2015 5:42 PM

Nathan Parker:
That's great to know. Thanks for the info!

Yes

Using adventure and community to challenge young people to continually say "yes" to God

Posts 8195
LogosEmployee

Don Awalt:
Great to know, thanks Bradley! What about personal information like addresses, phone numbers, email?

This is stored on our servers (as are documents, settings, and other sync data). These databases are protected by industry best practices for technical and physical security, regularly audited by a third-party, etc.

Posts 2829
Don Awalt | Forum Activity | Replied: Mon, Jun 22 2015 4:06 AM

Thanks Bradley!

Page 1 of 1 (12 items) | RSS